def test_invalid_header_contentSecurity(self):
os.environ["HTTP_RESPONSE_HEADERS"] = json.dumps({
"Content-Security-Policy":
"$# default-src https://my.csp.domain.amsterdam"
})
header_config = headers.parse_headers()
self.assertEquals("", header_config)
def set_up_nginx_files(m2ee):
lines = ""
if use_instadeploy(m2ee.config.get_runtime_version()):
mxbuild_upstream = "proxy_pass http://mendix_mxbuild"
else:
mxbuild_upstream = "return 501"
with open("nginx/conf/nginx.conf") as fh:
lines = "".join(fh.readlines())
http_headers = parse_headers()
lines = (
lines.replace("CONFIG", get_path_config())
.replace("NGINX_PORT", str(get_nginx_port()))
.replace("RUNTIME_PORT", str(get_runtime_port()))
.replace("ADMIN_PORT", str(get_admin_port()))
.replace("DEPLOY_PORT", str(get_deploy_port()))
.replace("ROOT", os.getcwd())
.replace("HTTP_HEADERS", http_headers)
.replace("MXBUILD_UPSTREAM", mxbuild_upstream)
)
for line in lines.split("\n"):
logger.debug(line)
with open("nginx/conf/nginx.conf", "w") as fh:
fh.write(lines)
gen_htpasswd({"MxAdmin": get_m2ee_password()})
gen_htpasswd(
{"deploy": os.getenv("DEPLOY_PASSWORD")}, file_name_suffix="-mxbuild"
)
def test_valid_header_permittedPolicies(self):
os.environ["HTTP_RESPONSE_HEADERS"] = json.dumps(
{"X-Permitted-Cross-Domain-Policies": "by-content-type"})
header_config = headers.parse_headers()
self.assertIn(
"add_header X-Permitted-Cross-Domain-Policies 'by-content-type';",
header_config,
)
def test_valid_header_referrerPolicy(self):
os.environ["HTTP_RESPONSE_HEADERS"] = json.dumps(
{"Referrer-Policy": "no-referrer-when-downgrade"})
header_config = headers.parse_headers()
self.assertIn(
"add_header Referrer-Policy 'no-referrer-when-downgrade';",
header_config,
)
def handle(self):
# read request message
method, path, protocol = self.rfile.readline().decode().split()
self.parse_rfile = []
for line in self.rfile:
if line == b'\r\n':
break
self.parse_rfile.append(line)
req_headers = {
key.lower().capitalize(): val
for key, val in headers.parse_headers(self.parse_rfile).items()
}
content_length = req_headers.get('Content-length')
if content_length: # if request body exists
body = self.rfile.read(int(content_length))
else:
body = None
if debug:
print("Method : {0}".format(method))
print("Path : {0}".format(path))
print("Protocol : {0}".format(protocol))
print("Request Headers : {0}".format(req_headers))
print("Content Length : {0}".format(content_length))
print("Body : {0}".format(body))
# read content from file name: '.' + path
filename = '.' + path
try:
f = open(filename, 'rb')
content = f.read()
f.close()
except Exception as e:
content = None
# Build response message
res_headers = {}
res_headers['Date'] = time.asctime()
res_headers['Server'] = 'MyServer/1.0'
res_headers['Connection'] = req_headers.get('Connection')
if content:
content_type, encoding = mimetypes.guess_type(filename)
res_headers['Accept-Ranges'] = 'bytes'
res_headers['Content-type'] = content_type
res_headers['Content-length'] = str(len(content))
print('HTTP/1.1 200 OK')
self.wfile.write(b'HTTP/1.1 200 OK\r\n')
self.wfile.write(headers.to_bytes(res_headers) + b'\r\n')
self.wfile.write(content)
else:
print('HTTP/1.1 404 Not found')
self.wfile.write(b'HTTP/1.1 404 not found\r\n')
self.wfile.write(headers.to_bytes(res_headers) + b'\r\n')
if debug:
print("Response Headers : {0}".format(res_headers))
self.wfile.flush()
def test_valid_header_xfrmaeOption(self):
os.environ["HTTP_RESPONSE_HEADERS"] = json.dumps(
{"X-Frame-Options": "allow-from https://mendix.com"})
os.environ["X_FRAME_OPTIONS"] = "deny"
header_config = headers.parse_headers()
self.assertIn(
"add_header X-Frame-Options 'allow-from https://mendix.com';",
header_config,
)
def test_valid_header_contentSecurity(self):
os.environ["HTTP_RESPONSE_HEADERS"] = json.dumps({
"Content-Security-Policy":
"default-src https: \u0027unsafe-eval\u0027 \u0027unsafe-inline\u0027; object-src \u0027none\u0027" # noqa: E501
})
header_config = headers.parse_headers()
self.assertIn(
"add_header Content-Security-Policy 'default-src https: \\'unsafe-eval\\' \\'unsafe-inline\\'; object-src \\'none\\'';", # noqa: E501
header_config,
)
def test_valid_header_xssProtection(self):
os.environ["HTTP_RESPONSE_HEADERS"] = json.dumps({
"X-XSS-Protection":
"1; report=https://domainwithnewstyle.tld.consultancy"
})
header_config = headers.parse_headers()
self.assertIn(
"add_header X-XSS-Protection '1; report=https://domainwithnewstyle.tld.consultancy';",
header_config,
)
def request_handler(rfile, wfile):
while True:
# read request message
method, path, protocol = rfile.readline().decode().split()
req_headers = headers.parse_headers(rfile)
content_length = req_headers.get('Content-length')
if content_length: # if request body exists
body = rfile.read(int(content_length))
else:
body = None
print(method, path, protocol)
print(req_headers)
if content_length:
print(body)
# Build response message
import os
file = '.' + path
try:
f = open(file, 'rb')
except:
content = None
else:
content = f.read()
f.close()
if content:
print('HTTP/1.1 200 OK')
wfile.write(b'HTTP/1.1 200 OK\r\n')
else:
print('HTTP/1.1 404 not found')
wfile.write(b'HTTP/1.1 404 not found\r\n')
res_headers = {}
res_headers['Date'] = time.asctime()
res_headers['Server'] = 'MyServer/1.0'
res_headers['Accept-Ranges'] = 'bytes'
if req_headers.get('Connection') == 'close':
res_headers['Connection'] = 'close'
else:
res_headers['Connection'] = 'keep-alive'
if content:
content_type, encoding = mimetypes.guess_type(file)
res_headers['Content-type'] = content_type
res_headers['Content-length'] = str(len(content))
res_headers_text = headers.to_bytes(res_headers)
print(res_headers_text.decode())
wfile.write(res_headers_text)
if content:
wfile.write(content)
wfile.flush()
if res_headers['Connection'] == 'close':
break
def test_valid_header_partial(self):
os.environ["HTTP_RESPONSE_HEADERS"] = json.dumps({
"Referrer-Policy":
"no-referrr-when-downgrade",
"Access-Control-Allow-Origin":
"https://this.is.mydomain.nl",
"X-Content-Type-Options":
"nosniff",
})
header_config = headers.parse_headers()
self.assertNotIn(
"add_header X-XSS-Protection '1; report=https://domainwithnewstyle.tld.consultancy';",
header_config,
)
def handle(self):
print(self.request)
# read request message
method, path, protocol = self.rfile.readline().decode().split()
req_headers = headers.parse_headers(self.rfile)
content_length = req_headers.get('Content-length')
if content_length: # if request body exists
body = self.rfile.read(int(content_length))
else:
body = None
print(method, path, protocol)
print(req_headers)
if content_length:
print(body)
# read content from file name: '.' + path
file = '.' + path
try:
f = open(file, 'rb')
except Exception as e:
content = None
else:
content = f.read()
f.close()
# Build response message
if content:
print('HTTP/1.1 200 OK')
self.wfile.write(b'HTTP/1.1 200 OK\r\n')
else:
print('HTTP/1.1 404 Not found')
self.wfile.write(b'HTTP/1.1 404 not found\r\n')
res_headers = {}
res_headers['Date'] = time.asctime()
res_headers['Server'] = 'MyServer/1.0'
res_headers['Connection'] = 'close' if req_headers.get(
'Connection') == 'close' else 'keep-alive'
if content:
content_type, encoding = mimetypes.guess_type(file)
res_headers['Accept-Ranges'] = 'bytes'
res_headers['Content-type'] = content_type
res_headers['Content-length'] = str(len(content))
print(res_headers)
self.wfile.write(headers.to_bytes(res_headers))
if content:
self.wfile.write(content)
self.wfile.flush()
def test_valid_header_accessControl(self):
os.environ["HTTP_RESPONSE_HEADERS"] = json.dumps(
{"Access-Control-Allow-Origin": "*"})
header_config = headers.parse_headers()
self.assertIn("add_header Access-Control-Allow-Origin '*';",
header_config)
def handle(self):
# read a request message
buffer = self.request.recv(1024).strip()
file = io.BytesIO(buffer)
request_headers = headers.parse_headers(file)
# print('request_headers: ', request_headers)
# read content from file name: '.' + path
PATH = ''
PATH = request_headers['PATH']
METHOD = ''
METHOD = request_headers['METHOD']
senddata = b'\r\n'
print(PATH, METHOD)
if METHOD != 'GET':
PATH = '/notget.html'
print(PATH, METHOD)
if PATH == '/public/index.html':
f = open('./public/index.html', 'rb')
elif PATH:
if PATH == '/css/style.css' or PATH == '/favicon.ico':
f = open('./public' + PATH, 'rb')
elif PATH == '/notget.html':
f = open('./public' + PATH, 'rb')
elif os.path.isfile("." + PATH):
f = open('.' + PATH, 'rb')
else:
f = open('./public/404.html', 'rb')
else:
f = open('./public/404.html', 'rb')
data = f.read(1024)
while data:
senddata += data
data = f.read(1024)
f.close()
# Build the response message
res_status_line = ''
res_status_line = 'HTTP/1.1 404 Not found'
res_headers = {}
res_headers['Date'] = time.asctime()
res_headers['Server'] = 'MyServer/1.0'
res_headers['Accept-range'] = 'bytes'
if PATH == '/public/index.html':
f = open('./public/index.html', 'rb')
res_headers['Content-type'] = 'text/html'
res_headers['Content-Length'] = str(
os.path.getsize('./public' + '/index.html'))
res_status_line = 'HTTP/1.1 200 OK\r\n'
elif PATH:
if PATH == '/css/style.css' or PATH == '/favicon.ico':
f = open('./public' + PATH, 'rb')
res_headers['Content-type'] = mimetypes.guess_type('./public' +
PATH)[0]
res_headers['Content-Length'] = str(
os.path.getsize('./public' + PATH))
res_status_line = 'HTTP/1.1 200 OK\r\n'
elif os.path.isfile("." + PATH):
f = open('.' + PATH, 'rb')
res_headers['Content-type'] = mimetypes.guess_type(PATH)[0]
res_headers['Content-Length'] = str(os.path.getsize('.' +
PATH))
# res_headers['Content-Length'] = '10000'
res_status_line = 'HTTP/1.1 200 OK\r\n'
else:
f = open('./public/404.html', 'rb')
res_headers['Content-type'] = 'text/html'
res_headers['Content-Length'] = str(
os.path.getsize('./public' + '/404.html'))
else:
f = open('./public/404.html', 'rb')
res_headers['Content-type'] = 'text/html'
res_headers['Content-Length'] = str(
os.path.getsize('./public' + '/404.html'))
if PATH == '/notget.html':
res_headers['Content-Length'] = str(
os.path.getsize('./public' + '/notget.html'))
for k in res_headers:
line = k + ': ' + res_headers[k] + '\r\n'
res_status_line += line
sbuff = res_status_line.encode()
sbuff += senddata
self.wfile.write(sbuff)
self.wfile.flush() # Flush-out output buffer for immediate sending
def test_invalid_header_permittedPolicies(self):
os.environ["HTTP_RESPONSE_HEADERS"] = json.dumps(
{"X-Permitted-Cross-Domain-Policies": "#%#^#^"})
header_config = headers.parse_headers()
self.assertEquals("", header_config)
def test_invalid_header_xssProtection(self):
os.environ["HTTP_RESPONSE_HEADERS"] = json.dumps(
{"X-XSS-Protection": "1;mode=bock"})
header_config = headers.parse_headers()
self.assertEquals("", header_config)
def test_invalid_header_json(self):
os.environ["HTTP_RESPONSE_HEADERS"] = "invalid"
with self.assertRaises(ValueError):
headers.parse_headers()
def test_invalid_header_contentType(self):
os.environ["HTTP_RESPONSE_HEADERS"] = json.dumps(
{"X-Content-Type-Options": ""})
header_config = headers.parse_headers()
self.assertEquals("", header_config)
def test_invalid_header_xframeOption(self):
os.environ["HTTP_RESPONSE_HEADERS"] = json.dumps(
{"X-Frame-Options": "allow-form htps://mendix.com"})
header_config = headers.parse_headers()
self.assertEquals("", header_config)
def test_valid_header_contentType(self):
os.environ["HTTP_RESPONSE_HEADERS"] = json.dumps(
{"X-Content-Type-Options": "nosniff"})
header_config = headers.parse_headers()
self.assertIn("add_header X-Content-Type-Options 'nosniff';",
header_config)
def test_invalid_header_accessControl(self):
os.environ["HTTP_RESPONSE_HEADERS"] = json.dumps(
{"Access-Control-Allow-Origin": "htps://this.is.mydomain.nl"})
header_config = headers.parse_headers()
self.assertEquals("", header_config)
def handle(self):
# read a request message
# print(self.client_address[0])
import os
buffer = self.request.recv(1024).strip()
file = io.BytesIO(buffer)
request_headers = headers.parse_headers(file)
# print('request_headers: ', request_headers)
PATH = ''
PATH = request_headers['PATH']
KeepAlive = ''
if 'Keep-Alive' in request_headers:
KeepAlive = request_headers['Keep-Alive']
if request_headers['CONNECTION']:
CONNECTION = request_headers['CONNECTION']
else:
CONNECTION = 'keep-alive'
print(PATH, CONNECTION)
pass
senddata=b'\r\n'
# read content from file name: '.' + path
if PATH == '/test/index.html':
f = open('./test/index.html', 'rb')
elif PATH:
if os.path.exists("." + PATH):
if PATH == '/test' or PATH == '/test/':
f = open('./test/404.html', 'rb')
else:
f = open('.'+PATH, 'rb')
else:
f = open('./test/404.html', 'rb')
data = f.read(1024)
while data:
senddata+=data
data = f.read(1024)
f.close()
pass
# Build the response message
import mimetypes
import time
text = ''
res_headers = {}
res_headers['Date'] = time.asctime()
res_headers['Server'] = 'MyServer/1.0'
res_headers['Accept-range'] = 'bytes'
if CONNECTION == 'keep-alive':
res_headers['Connection'] = 'keep-alive'
if KeepAlive == '':
res_headers['Keep-Alive'] = 'timeout=10, max=100'
else:
KeepAlive = list(KeepAlive.split(', '))
if int(KeepAlive[1]) -1 == 0:
res_headers['Connection'] = 'close'
else:
KeepAlive[1] = int(KeepAlive[0][4:]) - 1
KeepAlive = ', '.join(KeepAlive)
res_headers['Keep-Alive'] = KeepAlive
elif CONNECTION == 'close':
res_headers['Connection'] = 'close'
if PATH == '/test/index.html':
res_headers['Content-type'] = 'text/html'
res_headers['Content-Length'] = str(os.path.getsize('./test'+'/index.html'))
text += 'HTTP/1.1 200 OK\r\n'
elif PATH:
if os.path.exists("." + PATH):
if PATH == '/test' or PATH == '/test/':
res_headers['Content-type'] = 'text/html'
res_headers['Content-Length'] = str(os.path.getsize('./test'+'/404.html'))
text += 'HTTP/1.1 200 OK\r\n'
else:
res_headers['Content-type'] = mimetypes.guess_type(PATH)[0]
res_headers['Content-Length'] = str(os.path.getsize('.'+PATH))
text += 'HTTP/1.1 200 OK\r\n'
else:
res_headers['Content-type'] = 'text/html'
res_headers['Content-Length'] = str(os.path.getsize('./test'+'/404.html'))
text += 'HTTP/1.1 404 Not found'
for k in res_headers:
line = k+': '+res_headers[k]+'\r\n'
text += line
sbuff = text.encode()
sbuff+=senddata
self.wfile.write(sbuff)
pass
self.wfile.flush() # Flush-out output buffer for immediate sending
def test_invalid_header_referrerPolicy(self):
os.environ["HTTP_RESPONSE_HEADERS"] = json.dumps(
{"Referrer-Policy": "no-referrr-when-downgrade"})
header_config = headers.parse_headers()
self.assertEquals("", header_config)
def test_valid_with_xframeOption(self):
os.environ["HTTP_RESPONSE_HEADERS"] = "{}"
os.environ["X_FRAME_OPTIONS"] = "DENY"
header_config = headers.parse_headers()
self.assertIn("add_header X-Frame-Options 'DENY';", header_config)